While corporate executives are increasingly becoming aware of
their obligation to be informed of cybersecurity threats
and the steps being taken by their company to prevent data
breaches, it is equally important for executives to ensure that the
employees are educated with respect to cyber threats. The data
breach prevention protocol of a company may only be as strong as
its weakest link.
Negligence or recklessness by a company's employee which
contributes to a successful data breach may expose the company to
liability. For example, employees may create risk by negligently
clicking on what is deemed to be an obvious phishing link, or
recklessly updating social media.
The scope of negligence in the cyber context remains largely
unexplored by case law. However, given the increasing awareness of
the frequency and nature of cyber threats, the standard of care
owed by a company to those individuals whose personal data is
stored may expand. With this expanded duty, companies could be
exposed to increased vicarious liability for their employees'
Vicarious Liability: The Test
A company may be vicariously liable for an employee's
negligent acts if the acts are committed in the course of
employment. This test gives rise to two questions: (1) who is an
employee and (2) what activities are committed in the course of
Who is an employee?
The question of who is an employee for purposes of determining
vicarious liability is not as simple as determining whether an
individual is designated an employee by the company.
Generally, a party is not vicariously liable for the tortious
actions of an independent contractor.1 In determining whether a party acts as an employee or as
an independent contractor, courts consider a number of factors
including the amount of control exercised over the worker, whether
the worker uses his or her own equipment, whether the worker hires
independent help, whether the worker takes on financial risk, the
degree of responsibility for investment and management held by the
worker and the worker's opportunity for profit.2
Do not assume that because someone is not designated as an
employee, that liability for cyber breaches do not flow from their
negligent, reckless conduct or intentional conduct.
What activities are committed in the course of employment?
Activities committed in the "course of employment"
include activities that the employer authorizes, as well as
activities carried out by the employee using the authority granted
to them by the employer.3 If the employer did not authorize the wrongful
activity, the court will consider whether the employer
"introduced the risk of the wrong".4 Put another way, the court may consider whether the
employer cloaked the individual with the authority through which
they committed the wrong.
Do not assume that because an employee is not authorized to
engage in particular tasks that the company will not be exposed to
the employee's negligent or reckless conduct in connection with
Conclusion: Application in Cybersecurity
In the world of cybersecurity, the actions of an
organization's employees are critical. Companies must train
employees around cybersecurity risks and ensure sufficient
oversight of employees with access to personal data.
Data breaches are inevitable; but liability for those breaches
may be minimized. Proper training and supervision of employees is
an essential element of data breach prevention.
Employee turnover is an unavoidable reality for nearly all businesses. In addition to creating a number of financial and logistical difficulties, employee turnover also raises a number data security issues.
The Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff's personal information for the purpose of defending against a civil lawsuit is not a "commercial activity" and, ...
A recent privacy decision regarding pre-installed software on laptops may have implications for companies operating not only in the traditional hardware space, but for those companies venturing into the burgeoning "Internet of Things" ecosystem.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).